Experiment No.

Aim: To study Wireshark – open source packet analyzer.

Theory:

Wireshark is the world's most popular network analyzer. This very powerful tool
provides network and upper layer protocols information about data captured in a network.
Like a lot of other network programs, Wireshark uses the pcap network library to capture
packets.

The Wireshark strength comes from:

- its easiness to install.
- the simplicity of use of its GUI interface.
- the very high number of functionality available.

Wireshark is a free and open-source packet analyzer. It is used for network

troubleshooting, analysis, software and communications protocol development, and
education. Originally named Ethereal, in May 2006 the project was renamed Wireshark
due to trademark issues.

Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user
interface, and using pcap to capture packets; it runs on various Unix-like operating
systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows.
There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other
programs distributed with it such as TShark, are free software, released under the terms
of the GNU General Public License.

As a network packet analyzer, Wireshark can peer inside the network and examine the
details of traffic at a variety of levels, ranging from connection-level information to the
bits comprising a single packet. This flexibility and depth of inspection allows the
valuable tool to analyze security events and troubleshoot network security device issues.
It's also priced right: it's free!

Why sniff the network?

Before anyone uses Wireshark, an organization should ensure that it has a clearly
defined privacy policy that spells out the rights of individuals using its network, grants
permission to sniff traffic for security and troubleshooting issues, and states the
organization's policy requirements for obtaining, analyzing and retaining network traffic
dumps. Anyone who uses a tool like Wireshark without first obtaining the necessary
permissions may quickly find themselves in hot water legally.

However, as a security professional, there are two important reasons to sniff network
traffic. First, peering into the details of packets can prove invaluable when dissecting a
network attack and designing countermeasures. For example, if a denial of service
occurs, Wireshark can be used to identify the specific type of attack. The tool can then
craft upstream firewall rules that block the unwanted traffic. The second major use of
Wireshark is to troubleshoot security devices. Specifically, I regularly use it to
troubleshoot firewall rules. If systems running Wireshark are connected to either side of a
firewall, it's easy to see which packets successfully traverse the device and identify
whether the firewall is the cause of connectivity problems.

That being said, it's important to remember that Wireshark can be used for good or for
evil, as is the case with many security analyzers. In the hands of a network or security
administrator it's a valuable troubleshooting tool. In the hands of someone with
questionable ethics, however, it's a powerful eavesdropping tool that enables someone to
view every packet that traverses the network.

Installing Wireshark:

Binary versions can be downloaded for Windows or Macintosh OS X. Wireshark is also

available through the standard software distribution systems for most flavors of
Unix/Linux, and the source code is also available for installation on other operating
systems.

The Wireshark development team built the Windows version on top of the WinPcap
packet capture library. Those running Windows must install WinPcap if they haven't
already. One word of caution: If you're running an outdated version of WinPcap, remove
it manually through the "Add/Remove Programs" control panel before running the
Wireshark installer.

The installation process uses a familiar wizard-based sequence that only asks two
significant questions: whether you want to install WinPcap and whether you want to start
the WinPcap Netgroup Packet Filter (NPF) service at startup. Selecting the latter option
allows users without administrator privileges to capture packets. If you don't start this
service, only administrators will be able to run Wireshark.

Running a simple packet capture

Once Wireshark is installed, start it up and you'll be presented with the blank screen
shown below:
To start scanning, choose Interfaces from the Capture menu. You'll see a pop-up window
similar to the one below:

If you'd like to configure advanced options -- like capturing a file, resolving MAC
addresses and DNS names, or limiting the time or size of the capture -- click the Options
button corresponding to the interface you wish to configure. Many of these options can
help to improve the performance of Wireshark. For example, you can adjust settings to
avoid name-resolution issues, as they will otherwise slow down your capture system and
generate large numbers of name queries. Time and size limits can also place limitations
on unattended captures. Otherwise, simply click the Start button next to the name of the
interface on which you wish to capture traffic. The Wireshark screen will immediately
begin filling up with traffic seen on the network interface, as shown below:
Interpreting the results

Each line in the top pane of the Wireshark window corresponds to a single packet seen on
the network. The default display shows the time of the packet (relative to the initiation of
the capture), the source and destination IP addresses, the protocol used and some
information about the packet. You can drill down and obtain more information by
clicking on a row. This causes the bottom two window panes to fill with information.

The middle pane contains drill-down details on the packet selected in the top frame. The
"+" icons reveal varying levels of detail about each layer of information contained within
the packet. In the example above, I've selected a DNS response packet. I've expanded the
DNS response (application layer) section of the packet to show that the original was
requesting a DNS resolution for www.cnn.com, and this response is informing us that the
available IP addresses include 64.236.91.21. The bottom window pane shows the
contents of the packet in both hexadecimal and ASCII representations.

Color is your friend when analyzing packets with Wireshark. Notice in the example
above that each row is color-coded. The darker blue rows correspond to DNS traffic, the
lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic.
Wireshark includes a complex color-coding scheme (which you can customize). The
default settings appear below:
Conclusion:
Thus, Wireshark, an open source packet analyzer provides several benefits, namely
marking of packets, easy filtering, etc. and can be used for network troubleshooting,
analysis, software and communications protocol development, and education.